Cisco IOS Software Precision Time Protocol Denial of Service Vulnerability

A vulnerability in the Precision Time Protocol (PTP) subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of the Precision Time Protocol.

The vulnerability is due to insufficient processing of PTP packets. An attacker could exploit this vulnerability by sending a custom PTP packet to, or through, an affected device. A successful exploit could allow the attacker to cause a DoS condition for the PTP subsystem, resulting in time synchronization issues across the network.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ptp

This advisory is part of the September 26, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2018-0473

Related:

  • No Related Posts

Failover issues with SGOS on ESX and Cisco

I need a solution

Hi there,

I’m having an issue with failover on two virtualized Symantec ( Bluecoat) proxies on two ESX hosts in two datacenters connected with Cisco switches.

I can see the Mulicast traffice leaving the proxy getting out into the world over the Cisco switches till the firewall blocks them. The packets should be delivered on L2 to the other switch to get into the other ESX-host on the other proxy running there.

But on the other host I don’t see any multicast-traffic incoming. Hence both feel responsible for the virtual IP what makes problems with Skype etc.

Did anyone have such an issue before? On ESX we activated promiscuous mode already for that vlan/subnet. But that didn’t change the issue.

The hardware proxies in the same network see the multicast-traffic incoming from the virtual machines and behave accordingly. As the virtual proxies don’t receive any multicast traffic they always assume to be master as the other one is not sending any updates.

I would understand that there might be an issue between the two Cisco-Switches that multicast traffic is not forwarded to the other. Other idea is – that there is a special setting on the ESX-Machine I’m not aware of? Any idea?

Thanks in advance,

Manfred

0

Related:

  • No Related Posts

Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability

A vulnerability in the Session Initiation Protocol (SIP) protocol implementation of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to insufficient validation of input SIP traffic. An attacker could exploit this vulnerability by sending a malformed SIP packet to an affected Cisco Unified Communications Manager. A successful exploit could allow the attacker to trigger a new registration process on all connected phones, temporarily disrupting service.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-cucm-dos

Security Impact Rating: High

CVE: CVE-2019-1887

Related:

  • No Related Posts

Cisco Nexus 9000 Series Fabric Switches ACI Mode Fabric Infrastructure VLAN Unauthorized Access Vulnerability

A vulnerability in the fabric infrastructure VLAN connection establishment of the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN.

The vulnerability is due to insufficient security requirements during the Link Layer Discovery Protocol (LLDP) setup phase of the infrastructure VLAN. An attacker could exploit this vulnerability by sending a malicious LLDP packet on the adjacent subnet to the Cisco Nexus 9000 Series Switch in ACI mode. A successful exploit could allow the attacker to connect an unauthorized server to the infrastructure VLAN, which is highly privileged. With a connection to the infrastructure VLAN, the attacker can make unauthorized connections to Cisco Application Policy Infrastructure Controller (APIC) services or join other host endpoints.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-n9kaci-bypass

Security Impact Rating: High

CVE: CVE-2019-1890

Related:

  • No Related Posts

Multiple Issues in Cisco Small Business 250/350/350X/550X Series Switches Firmware and Cisco FindIT Network Probe

On June 3, 2019, SEC Consult, a consulting firm for the areas of cyber and application security, contacted the Cisco Product Security Incident Response Team (PSIRT) to report the following issues that they found in firmware images for Cisco Small Business 250 Series Switches:

  • Certificates and keys issued to Futurewei Technologies
  • Empty password hashes
  • Unneeded software packages
  • Multiple vulnerabilities in third-party software (TPS) components

Cisco PSIRT investigated each issue, and the following are the investigation results:

Certificates and Keys Issued to Futurewei Technologies

An X.509 certificate with the corresponding public/private key pair and
the corresponding root CA certificate were found in Cisco Small Business 250 Series Switches firmware. SEC Consult calls this the “House of Keys.” Both certificates are issued to
third-party entity Futurewei Technologies, a Huawei subsidiary.

The certificates and keys in question are part of the Cisco FindIT Network Probe that is bundled with Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware. These files are part of the OpenDaylight open source package. Their intended use is to test the functionality of software using OpenDaylight routines. The Cisco FindIT team used those certificates and keys for their intended testing purpose during the development of the Cisco FindIT Network Probe; they were never used for live functionality in any shipping version of the product. All shipping versions of the Cisco FindIT Network Probe use dynamically created certificates instead. The inclusion of the certificates and keys from the OpenDaylight open source package in shipping software was an oversight by the Cisco FindIT development team.

Cisco has removed those certificates and associated keys from FindIT Network Probe software and Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory.

Empty Password Hashes

The /etc/passwd file included in Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware has empty password hashes for the users root and user.

The /etc/passwd file is not consulted during user authentication by Small Business 250, 350, 350X, and 550X Series Switches firmware. Instead, a dedicated alternate user database is used to authenticate users that log in to either the CLI or the web-based management interface of Small Business 250, 350, 350X, and 550X Series Switches.

A potential attacker with access to the base operating system on an affected device could exploit this issue to elevate privileges to the root user. However, Cisco is not currently aware of a way to access the base operating system on these switches.

Future firmware releases will replace the empty hashes with hashed, randomly generated passwords during initial boot.

Unneeded Software Packages

An attacker who gains access to the CLI of the base operating system may be able to misuse the gdbserver and tcpdump packages that are included in Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware as part of the base operating system. Cisco is not currently aware of a way to access this part of the system on these switches.

Future firmware releases will not include the gdbserver and tcpdump packages.

Security Impact Rating: Informational

Related:

  • No Related Posts

Cisco RV110W, RV130W, and RV215W Routers Management Interface Denial of Service Vulnerability

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition.

This vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to reload the device and causing a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-rvrouters-dos

Security Impact Rating: High

CVE: CVE-2019-1843

Related:

  • No Related Posts

SD-WAN QoS – FAQ

2. What type of traffic is allocated by default to different Classes?

In the SD-WAN environment, we think of applications as falling into one of the following three classes:

Real-time –VoIP or VoIP like applications, such as Skype or ICA audio. In general, we refer to voice only applications that use small UDP packets that are business critical

Interactive – This is the broadest category, and refers to any application that has a high degree of user interaction. Some of these applications, for example video conferencing, is sensitive to latency, and requires high bandwidth. Other applications like HTTPS, may need less bandwidth, but are critical to the business. Interactive applications are typically transactional is nature.

Bulk – This is any application that does not need rich user experience but is more about moving data (i.e. FTP or backup/replication)

3. How real-time class works vs interactive:

Real-time (RT) classes are given the highest priority and gets up to 50% of the overall scheduler time. Each class can be weighted with respect to the other RT classes, for example, we could have two RT classes one that weighted to 70% and the other to 30%.

Interactive (INT) classes take the next priority and can consume the rest of the scheduler time as the traffic demands. Individual INT classes can be weighted and by default we have 4 weights (high, medium, low and very low) defined.

4. Will bulk suffer if interactive and real-time flows are there?

Yes, Bulk traffic is serviced after real-time and interactive traffic are serviced. Typically, a bulk class gets a lower sustained share % than an interactive class.

5. How QoS classes are prioritized?

Real-time (RT) classes are given the highest priority and gets up to 50% of the overall scheduler time. Each class can be weighted with respect to the other RT classes, for example, we could have two RT classes one that weighted to 70% and the other to 30%.

Interactive (INT) classes take the next priority and can consume the rest of the scheduler time as the traffic demands. Individual INT classes can be weighted and by default we have 4 weights (high, medium, low and very low) defined.

Bulk (BLK) classes takes the lowest priority and can be considered scavenge classes. They can be weighted but they can be completely starved of bandwidth if the INT/RT traffic is consuming all of the scheduler time.

6. What is the purpose of “Retransmit Lost Packets” option under WAN General, IP Rules?

If the receiving SD-WAN appliance detects a missing packet it can request that packet to be resent by the sending SD-WAN appliance.

7. What is the Criteria for the QoS calculation?

QoS is always calculated on the Send Side.

The Fair Share calculation for the services is based on Per Wan Link.

8. What is Duel Ended QoS?

The Receive side sends the Control Packets to advertise the available bandwidth before the actual Data transfer is initiated.

9. How is share provided during contention?

Please refer this article: https://support.citrix.com/article/CTX256716

10. Difference between the Drop Limit and Drop Depth:

Drop Limit: If the Estimated exceeds the threshold, the packet will be discarded. Not valid for Bulk Classes

Drop Depth (Send Buffer): The Max amount of estimated time that packets smaller than the large packet size will have to wait in the class scheduler. If the queue depth exceeds the threshold, the packet will be discarded and the statistics will be counted.



11. How Drop Limit is calculated (MS)?

Number of bytes Queued divided by Bandwidth available for the class.

12. What are transmit modes based on?

•Persistent path – Based on the latency. If there’s a latency >50mS then there will be a penalty on that path and a new path will be chosen.

•Load Balanced Path– Based on the packet Loss.

•Duplicate paths: Packets will be duplicated over the WAN links.

13. What is MOS (Mean opinion Score) under rule groups?

This Feature gathers application statistics from WAN to LAN side of the Virtual path. It Measure of the quality of the experience that an application delivers to end users. It is primarily used for VoIP applications. In SD-WAN, MOS is also used to assess the quality of non-VoIP applications.

14. What is Application QoS and how to implement it?

By default on the SD-WAN, we have pre-defined Application Family based on the type of the application in the incoming Traffic. For Example: Anti-Virus, Microsoft Office, etc…

It is also possible to create Custom application object.

15. QoS Fairness (RED):

Please refer to this Document:

https://docs.citrix.com/en-us/netscaler-sd-wan/10/quality-of-service/qos-fairness.htm

16. Do we have an option to enable Auto Bandwidth provisioning?

Yes, from SD-WAN Version 10.2.x we have an option under Site —> Wan Links —> Provisioning to enable Auto-Bandwidth Provisioning.

17. What is Auto-Bandwidth Provisioning?

When enabled, the shares for all services defined in the Provisioning section will be auto calculated and applied according to the size of Bandwidth that may be required for the remote sites.

18. How to diagnose if an issue is with SD-WAN or not with respect to QoS?

Based on Multiple factors:

Related:

  • No Related Posts